DECIDE YOUR MINIMUM SECURITY REQUIREMENTS

Decide whether your messages should be sent/received securely on a "Best Efforts" or "SecureMail" basis.

• "Best Efforts"
  
• Your server will try to send and receive securely, but if not possible, it will carry on like normal.

• "SecureMail"
  
• Your SecureMail server will try to send and receive securely.  Incoming messages that fail the security tests will not be accepted.  Outgoing messages that fail the security requirements will not be sent.
  

CONFIGURING A "BEST EFFORTS" MAIL SERVER

Configure your mail server for "Best Efforts" outbound email

Step 1. Create a Sender Policy Framework (SPF) record:  Your mail server must have a SPF record, so it can authenticated as an approved sender of your messages.   For more information on this specification, visit the SPF website: http://www.openspf.org/

Step 2. Create a SenderID record:  Your mail server must have a SenderID record, so it can authenticated as an approved sender of your messages.   For more information on this specification, visit the SenderID page: http://www.microsoft.com/mscorp/safety/technologies/senderid/default.mspx

Step 3. Configure your existing mail server for TLS:

• by default, send messages via a TLS connection, IF the receiving server supports it, otherwise send via normal (insecure) SMTP
• The minimum cryptography standards are defined by the commonly available implementations of TLS.  The current requirements are Diffie-Helman key exchange, 256-bit AES encryption and SHA1 message digest. In future these requirements are expected to require ECDSA key exchange and SHA-256.

Configure your mail server for "Best Efforts" Inbound email

Step 4. Configure your mail server to support TLS: Try to receive messages via a TLS connection, IF the sending server supports it, otherwise receive via normal (insecure) SMTP

Step 5. Configure your mail server to check for a SPF record and reject email that fails the test.

Step 6. Configure your mail server to check for a SenderID record and reject email that fails the test.

SECUREMAIL MAIL SERVER

Configure your mail server for "SecureMail" outbound email

Step 1. Create a Sender Policy Framework (SPF) record:  Your mail server must have a SPF record, so it can authenticated as an approved sender of your messages.   Prohibit all other senders "-all".

Step 2. Create a SenderID record:  Your mail server must have a SenderID record, so it can authenticated as an approved sender of your messages.   Prohibit all other senders "-all".

Step 3. Use the SecureMail Naming Convention:  SecureMail mail servers should follow our naming convention, so that users can see the domain offers secure mail.  The recommended convention is to add securemail to the left of the existing mail domain e.g. securemail.organisation.com; securemail.company.co.uk.

Step 4. Configure your SecureMail server for TLS:

• Only send messages via a TLS connection. IF the receiving server does not support it, return the message to the sender.
  
• The minimum cryptography standards are defined by the commonly available implementations of TLS.  The current requirements are Diffie-Helman key exchange, 256-bit AES encryption and SHA1 message digest. In future these requirements are expected to require ECDSA key exchange and SHA-256.

Configure your mail server for "SecureMail" inbound email

Step 5.  Do NOT create an MX record. Your SecureMail server will reject insecure messages.  This goes against the RFC for SMTP/TLS, which states mail servers must accept insecure messages.  Therefore your SecureMail server must not have an MX record, to advertise itself as a normal mail host.

Step 6. Refuse mail from senders: Configure your SecureMail server to refuse mail from senders if:

• the sender does not have a valid SPF record;
• the sender does not have a valid SenderID record;
  
• the sender does not use a TLS connection; or
• the sender's TLS connection does not meet the minimum requirements.

Step 7. Test your configuration: http://secmx.org/secmx-tools